A 25-year-old California man will plead guilty in the coming weeks to hacking into a Walt Disney Co. employee’s personal computer last year and gaining access to thousands of non-public Disney Slack channels, and downloading about 1.1 million terabytes of confidential information.

After the hack, Ryan Mitchell Kramer, of Santa Clarita, California, then contacted the victim, threatening to release the information, according to the Justice Department (DOJ). When the victim didn’t respond, he not only released the stolen Slack files on a number of online platforms, but also the victim’s personal, bank, and medical data.

The leaked Disney information included data about revenue, login data, and personal information for company employees and former workers. Disney reportedly shut down its Slack channels after the breach.

Kramer will make an initial appearance in U.S. District Court in Los Angeles soon after agreeing to a plea deal that includes him pleading guilty to one count of accessing a computer and obtaining information and another count of threatening to damage a protected computer. Each carries a maximum of five years in prison.

Using the NullBulge Name

The hack and eventual data leak generated headlines last year, with reports saying that a Russian threat group called NullBulge was behind the incident. NullBulge reportedly emerged between April and June last year, targeting users in AI-focused application and gaming communities. The group poses as a hacktivist organizations, but at least one cybersecurity firm says it is a false front and that its real activity is cybercrime, using such known malware as Async RAT and Xworm and delivering LockBit ransomware payloads.

“Though the group projects an image of activism claiming to be ‘protecting artists around the world’ and claims to be motivated by a pro-art, anti-AI cause, rather than profit, other activities tied to this threat actor may indicate otherwise,” Jim Walter, senior threat researcher at SentinelOne, wrote in a report.

A Malicious Application

According to DOJ prosecutors, Kramer early last year posted an application on a range of online platforms, including GitHub, that claimed to enable users to create AI-generated art but really contained a malicious file that gave him access into the computers of people who downloaded it.

“Sometime in April and May of 2024, a victim downloaded the malicious file Kramer posted online, giving Kramer access to the victim’s personal computer, including an online account where the victim stored login credentials and passwords for the victim’s personal and work accounts,” the DOJ wrote.

Kramer used his access to those credentials to access a Slack online account the victim used as a Disney employee, which gave him access to the Disney Slack channels and the confidential information they held.

In July 2024, he contacted the victim through email and the Discord messaging platform and pretended to be a member of NullBulge – which the DOJ described as a “fake Russia-based hacktivist group” – threatening to disclose the victim’s personal information and the Disney slack data.

The information was publicly released on July 12. Though the DOJ claimed Kramer was “pretending” to be a member of NullBulge, the group did claim responsibility for the hack.

Prosecutors didn’t disclose how they tracked down Kramer, but said he “admitted in his plea agreement that, in addition to the victim, at least two other victims downloaded Kramer’s malicious file, and that Kramer was able to gain unauthorized access to their computers and accounts.”

A Cybercrime Gang in Hacktivist Clothing

Kramer name-dropping NullBulge’s name in California – and particularly with Disney – made sense. The group’s official website reportedly claims its works to protect artists’ rights and to ensure they are fairly compensated for their work.

SentinelOne’s Walter wrote that “NullBulge demonstrates a shift in the ransomware ecosystem where actors adopt hacktivist causes for financial gain.”

“NullBulge is a low-sophistication actor, targeting an emerging pool of victims with commodity malware and ransomware,” he wrote. “The group’s invasive targeting of AI-centric games and applications poses a threat to those working with such technologies and highlights an intriguing area of focus for threat actors. Its methods of staging and delivering malicious code – such as obfuscated code in public repositories – is not new, but the target demographic is an emerging sector which is increasingly being targeted.”

Walter noted that NullBulge and similar groups are part of “the ongoing threat of low-barrier-of-entry ransomware, combined with the evergreen effect of infostealer infections.”